October 16, 2025

Eavesdropping on Sensitive Data via Unencrypted Geostationary Satellites

Recently, Wired.com released an article based on research by researchers at UC San Diego and the University of Maryland, highlighting how much sensitive unencrypted data many geostationary satellites are broadcasting in the clear.

The researchers used a simple off-the-shelf 100cm Ku-band satellite dish and a TBS-5927 DVB-S/S2 USB Tuner Card as the core hardware, noting that the total hardware cost was about $800.

Simple COTS hardware used to snoop on unencrypted satellite communications.

After receiving data from various satellites, they found that a lot of the data being sent was unencrypted, and they were able to obtain sensitive data such as plaintext SMS and voice call contents from T-Mobile cellular backhaul and user internet traffic. The researchers notified T-Mobile about the vulnerability, and to their credit, turned on encryption quickly.

They were similarly able to observe uncrypted data from various other companies and organizations, too, including the US Military, the Mexican Government and Military, Walmart-Mexico, a Mexican financial institution, a Mexican bank, a Mexican electricity utility, other utilities, maritime vessels, and offshore oil and gas platforms. They were also able to snoop on users' in-flight WiFi data.

Cellular Backhaul
We observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas. This traffic included unencrypted calls, SMS, end user Internet traffic, hardware IDs (e.g. IMSI), and cellular communication encryption keys.

Military and Government
We observed unencrypted VoIP and internet traffic and encrypted internal communications from ships, unencrypted traffic for military systems with detailed tracking data for coastal vessel surveillance, and operations of a police force.

In‑flight Wi‑Fi
We observed unprotected passenger Internet traffic destined for in-flight Wi-Fi users on airplanes. Visible traffic included passenger web browsing (DNS lookups and HTTPS traffic), encrypted pilot flight‑information systems, and in‑flight entertainment.

VoIP
Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call audio and metadata from end users.

Internal Commercial Networks
Retail, financial, and banking companies all used unencrypted satellite communications for their internal networks. We observed unencrypted login credentials, corporate emails, inventory records, and ATM networking information.

Critical Infrastructure
Power utility companies and oil and gas pipelines used GEO satellite links to support remotely operated SCADA infrastructure and power grid repair tickets.

The technical paper goes in depth into how they set up their hardware, what services and organizations they were able to eavesdrop on, and how they decoded the signals. The team notes that they have notified affected parties, and most have now implemented encryption. However, it seems that several services are still broadcasting in the clear.

Vote

The article and the information are truly interesting. At the same time, it's unbelievable that much of this data is, or was, sent unencrypted. Actually, in 2002 and earlier, it should have been obvious that some services could be intercepted or logged. Even though the transmission standards had changed from the then DVB-S to DVB-S2 and DVB-S2X (MPEG2/MPEG4), the encoding could have been enabled. The initial experience was gained back then with a DBOX 1 and the DVB2000 / Dr. Overflow / Jamal 2003 software. The SCSI connection made it possible to collect large amounts of IP data in a short time. The IPDVB2000 Streamreader (and its predecessors) logged the data stream from internet channels via satellite. In most cases, these were so-called "satellite-by-call" channels. Information was requested via a telephone line/modem and delivered via satellite. The results could be streamed almost unlimitedly. However, this was not restricted to a specific user, but to all users simultaneously. For example, it was possible to search specifically for photos or text. Entire web pages were not displayed. Depending on the log settings, the pages were broken down into only image or text elements, videos, graphics, etc. MAC addresses were also logged. According to my information, monitoring an address specifically was not possible. It was more convenient to use a satellite card in the PC. For this, the inexpensive B2C2 PCI satellite DVB card from Technisat or Haupauge, for example, was sufficient. The LiveNet903 software could collect even more data. Emails and images from surveillance cameras have also been discovered here. Within a few minutes, 10,000 or more images could accumulate. The MAC address filter only worked with the significantly more expensive cards. Now all that was missing were the frequencies of the data channels and, more importantly, the PID data of the transport streams. The frequencies were listed online, but the PIDs were less frequently. This is where the DVB2000SI analyzer came in. A complete transponder data stream, including all PIDs, could be analyzed via SCSI using the DBOX 1. An article about the LiveNet903 software appeared at the time in Telesatellit by Dr. Dish/Christian Mass. More Infos here: heise.de/news/US-Forscher-belauschen-unverschluesselte-Satellitenkommunikation-10767623.html quassi.nl/projects/dvb2000/ipdvb2000/ web.archive.org/web/20000510031413/http://quassi.virtualave.net/quassi.html no-access.de/en/en_software_data.html sat4all.com/forums/topic/31785-b2c2-kaart-en-ipdvb-streamreader-mbs-aan-files/ gruß Micha

2 Comments

Inline Feedbacks

View all comments

Micha

1 day ago

#268237

The initial experience was gained back then with a DBOX 1 and the DVB2000 / Dr. Overflow / Jamal 2003 software. The SCSI connection made it possible to collect large amounts of IP data in a short time.

The IPDVB2000 Streamreader (and its predecessors) logged the data stream from internet channels via satellite. In most cases, these were so-called "satellite-by-call" channels. Information was requested via a telephone line/modem and delivered via satellite. The results could be streamed almost unlimitedly. However, this was not restricted to a specific user, but to all users simultaneously. For example, it was possible to search specifically for photos or text. Entire web pages were not displayed. Depending on the log settings, the pages were broken down into only image or text elements, videos, graphics, etc.

MAC addresses were also logged. According to my information, monitoring an address specifically was not possible.

It was more convenient to use a satellite card in the PC. For this, the inexpensive B2C2 PCI satellite DVB card from Technisat or Haupauge, for example, was sufficient. The LiveNet903 software could collect even more data. Emails and images from surveillance cameras have also been discovered here. Within a few minutes, 10,000 or more images could accumulate. The MAC address filter only worked with the significantly more expensive cards.

Now all that was missing were the frequencies of the data channels and, more importantly, the PID data of the transport streams.

The frequencies were listed online, but the PIDs were less frequently. This is where the DVB2000SI analyzer came in.

A complete transponder data stream, including all PIDs, could be analyzed via SCSI using the DBOX 1.

An article about the LiveNet903 software appeared at the time in Telesatellit by Dr. Dish/Christian Mass.

More Infos here:

heise.de/news/US-Forscher-belauschen-unverschluesselte-Satellitenkommunikation-10767623.html

quassi.nl/projects/dvb2000/ipdvb2000/

web.archive.org/web/20000510031413/http://quassi.virtualave.net/quassi.html

no-access.de/en/en_software_data.html

sat4all.com/forums/topic/31785-b2c2-kaart-en-ipdvb-streamreader-mbs-aan-files/

gruß Micha

MARIO FILIPPI

4 days ago

#268159

Wish I didn’t take down all my FTA Ku-band satellite dishes. This sounds interesting. Thanks for posting.

Related posts: